Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

Security Bulletin: IBM Domino TLS server Diffie-Hellman key validation vulnerability (CVE-2016-6087)

Daniel Nashed  1 June 2017 07:27:46
There is a vulnerability in the TLS stack which could lead an exploit which could lead a less secure connection.
The good news is that the fix is already included in FP8. So you should upgrade to 9.0.1 FP8 if you have a public facing Domino Server with HTTPS.

See the details and reference below.

-- Daniel

A vulnerability in the IBM Domino TLS server's Diffie-Hellman parameter validation could potentially be exploited in a small subgroup attack which could result in a less secure connection.
An attacker may be able to exploit this vulnerability to obtain user authentication credentials.

Vulnerability Details

CVEID: CVE-2016-6087 / DESCRIPTION: IBM Domino could allow an attacker to steal credentials using multiple sessions and large amounts of data using Domino TLS Key Exchange validation.

CVE-2016-6087 is tracked as SPR# DKEN9WGMYE.


http://www.ibm.com/support/docview.wss?uid=swg22002808

Comments
No Comments Found

  • [IBM Lotus Domino]
  • [Domino on Linux]
  • [Nash!Com]
  • [Daniel Nashed]